Information Security Compliance Manager

Location:

Las Vegas, NV

Posted:

July 17, 2025

Contact this candidate

Resume:

SCOTT CHU, CISA

*** ********* *****

Henderson NV 89012

***********@*****.***

Cell: 732-***-****

Technologies Infrastructure Audit, Risk & Compliance SME

Experienced Technologies Infrastructure Auditor with risk-based audit approach across various industries,IT platforms and domains. Working knowledge on (but not limited to) Various WINXX, UNIX AIX, Linux. VMware server virtualization systems, various firewalls/network management tools/rules/services/protocols, VPN, security tools and appliances, wireless network, various network scanning tools, IPS/IDS, EDR, Network Storage Area Network (SAN) and HA and mirror environments, various Data backup schema, Microsoft Exchange email systems, Various Data Loss Protection Systems, VOIP, PSTN, security configurations on various DBMS (SQL Server, Oracle, DB2), various middleware technologies/interface controls, SWIFT, file travers/transposase controls, load balancer/server cluster, various OS/Nin OS job scheduling systems, RACF, Top-secret Lotus Note, NetSuite, SAP and Various ERPs, SAML, Kerberos, Teammate, AuditBoard, Archer, Open Page, Batch Mon, Various SDLC/configuration/release methodologies, keep myself on current OWASP and top vulnerabilities, various project/issue management tools, SIEM, and various access controls (TPAM, ISE, SSO, CyberArk, RADIS, console, physical).

Professional Experiences

HSBC USA

Senior Compliance Manager May 2023 to Present

As an Internal Security Assessor (ISA) within HSBC USA, I streamline PCI review process with detailed planning before the meetings, therefore it minimizes impacts to auditees resources so they can perform daily operations. List of accomplishments (but not limited to):

Lead the 2023/2024/2025 HSBC USA PCI compliance review and successfully completed 2023 Report of Compliance (ROC) for the HSBC USA and completed 2023 Attestation Of Compliance (AOC) for the first time in recent HSBC PCI history.

With IT and cyber knowledge and good understanding how, they are supporting HSBC business process, the following sampled controls and processes are reviewed, documented and communicated with appropriated stakeholders:

Evaluate access and cryptography (encrypt, decrypt, key management life cycle) controls used to protect data at reception, traverse, transpose and at rest and during transmission Over Open, Public Networks.

Review and assist the maintenance of Vulnerability Management Program to ensure efficiency and effectiveness. Review and identify all end points (FW, IPS IDS, EDR) and anti-virus for all systems, networks, uptime, capacity (bandwidth and throughput), applications data load and monitor all respective KPI (via HSBC dashboard and reports) to monitor their continued effectiveness.

Help to assist the implementation Strong Access Control Measures (such TPAM, Password vault), review Segregation Of Duties (SOD) within the review of all in scope applications/platforms for various users (IT, adm, app and system, process) from perspectives of a controls and justification based Business Need to Know.

Review and identify in appropriated Users (include all system and generic) and Authenticate Access to all System Components (SSO, Cloud, SAML, Multifactor, ODBC, local, etc.) for in scope PCI applications/platforms.

Review and help to incorporate missing compliance controls/verbiages all IT and Information Security Policies/Standard/Procedures/Guideline as a PCI SME support information Security with Organizational Policies and Programs.

Review PCI DSS AOCs and provide risk assessment needed per PCI perspective. Participated training webinars provided to personnels from third party to security awareness of PCI risks within third party management.

Help consult on initiatives, programs, and projects to raise security posture of Information Security program.

With pragmatic and practical in my understanding of business risk and security to know when to pull in experts and escalate for solutions.

Collaborate and innovate with other teams within HSBC to enhance security posture of the HSBC.

Familiar with various Cloud computing models to include IaaS, PaaS, and SaaS along with their architectural and access control models.

Familiar storage Services, Security and Access Control Management, Container Services, and API Implementation and Management.

Coordinate and execute Information Security assessments (for example: Threat Modeling, Architecture Reviews, etc.) for the business and technology teams covering Infrastructure Security, Resiliency, Data Security, Network Architecture, Design, and User Access Management.

Shulman Fleming & Partners

Mizuho Bank as an IT Audit (Contract) Consultant February 2023 – May 2023

Closure verification owner for various infrastructure/cyber/SOX issues/action plans/remediation.

Project manager for all closure verifications via tools such Open Page, Archer, ServiceNow, etc.

Perform security and SOD reviews on access controls for IT SOX financial applications.

Support First/Second Line of Defense for IT and security issues resolutions for Matters Requiring Attention (MRA).

Veterans Sourcing Group

Morgan Stanley as a Cyber Audit (Contract) Consultant February 2022–January 6, 2023

Perform finance applications auditswith completeness, integrity, and accuracy as control objectives.

Closure verification owner for various infrastructure/cyber issues/action plans/remediation.

Project manager for all closure verifications via tools such Open Page, Archer, ServiceNow, etc.

Perform security and SOD reviewson access controls for financial applications.

Support First/Second Line of Defense for IT and security issues resolutions and controlsevaluation/challenges on supportedevidencecollected and follow up with issue process owners for escalation.

Aditi and HCL Groups – OKTA, BDO, Bank of The West, Office Depotas an IT Audit/compliance(Contract)Consultant July 2021–February 2022

Perform PCI, HIPAA and SOX compliance audits (documented via Archer tools).

SOC reports review for vendors (for both cloud and on-sites) used in support of a special project.

Security review on data files intended for a special project.

Closure verification owner for various infrastructure/cyber issues/action plans/remediation.

Project manager for all closure verifications via tools such Open Page, Archer, ServiceNow, etc.

Perform security and SOD reviews on access controls for financial applications.

Support First/Second Line of Defense for IT and security issues resolutions and controls evaluation/challenges on supported evidence collected and follow up with issue process owners for escalation.

Vendor security and contract management.

Bed Bath and Beyond February 2012 – July 2021

IT Audit Manager

As a SOX/Payment Card Industry hand-on SME, in charge of audit, coordination and maintain full ownership over audit execution of IT platform and infrastructure used to support SOX/PCI audit examinations and validation/verification testing to ensure their attestations of SOX, SOC and PCI compliances.

Assistance of installations/maintenanceof Network Security Controls (via minimum security baselines with industry best practices approaches). Timely track and applysecurityconfigurations to all System Components. Identify residual risks from the perspective of the protection of stored critical/sensitive/confidential data.

Help to assist the implementation Strong Access Control Measures (such CyberArk, Password vault, Bit locker, etc.), annual and quarterly review access control lists with SOD as a controls/justification for Business Need to Know.

Inventory and Identify Users (include all system and generic) and Authenticate Access to all System Components (SSO, SAML, Multifactor, ODBC, local, etc.).

Audit and make recommendation physical/environmental controls to IT, LAN, WAN infrastructure used to support business operations (inputs, processes, outputs, backup).

Review and assist SIEM for log and monitor all access to System Components. Review and help refine Data Loss protections and continue to monitor their daily reports for anomaly.

Assist with network/system/SDLC to test Security of Systems and Networks with the most recent OWASP top 10.

Review and help to incorporate missing compliance controls/verbiages all IT and Information Security Policies/Standard/Procedures/Guideline as a SME support information Security with Organizational Policies and Programs.

Protiviti Synchronoss Technologies June 2010 – October 2010

Audit and Security (Contract)Consultant

Perform controls review, risk mitigation and gap assessment for PCI Level 1 and 2 compliance audit and recommended compliance implementations (such as how to implement a secured LAN/WAN and wireless networks

The Blue Cross/Blue Shield Organization April 2008 – May 2010

Audit/Security(Contract)Consultant

As a consultant serving two BC/BS groups (FEPOC Federal Employee Program Operation Center and Horizon) under Security Operations, responsible and successfully performed the following tasks:

Deliver and support of various IT audits for both internal (such as ISO 27001, 31000, SOX 404 and 302, HIPAA, DOBI, SAS 70) and external auditors (PWC and E&Y) through gaps (processes, technologies, and people) and risk management.

Mizuho Capital Market September 2007 – February 2008

Information Technologies Audit and Security (Contract) Consultant / Project Manager

Perform Trading platforms, IT, SOX, and other regulatory compliance audits (operations, financial, Information systems, SDLC, etc.)

Responsible for the risk assessment trading limits and back-office operations, IT audit planning and execution

Kyocera Mita

September 2008 – October 2008

September 2009 – October 2009

Audit and Security (Contract) Consultant

Perform IT, SOX, and other regulatory compliance audits (operations, financial, Information systems, SDLC, etc.).

LifeTime Brands August 2008 – November 2008

PCI Audit and Security (Contract) Consultant

Perform PCI Level 2 compliance audit.

As a result, PCI compliance certification was granted by merchant bank to the Lifetime Brands.

Centennial Communication CorpFebruary 2007 – March 2008

Information Technologies Audit Director

Perform PCI, IT, SOX and other regulatory compliance audits (operations, financial, Information systems, SDLC, change management on software and configuration etc.)

United Parcel Services July 2004 – February 2007

IT Audit Manager

Lead a team of 11 IT auditors to successful audit compliance with SOX audit for 2004, 2005 and 2006. Perform regular risk-based approach IT audit.

Perform IT general controls on various platforms - OS systems, operation, security, database, interfaces, network, security, database, router, and firewall.

Perform both compliance and risk-based application reviews on various business functions such as GL, AP, AR, FA, credit adjustments, billing adjustments, HR, billing, invoicing and cashiering for both UPS domestic and international business entities.

The McGraw-Hill Companies July 2003 – July 2004

IT Audit Supervisor

Evaluate business processes and their built in controls for Sarbanes Oxley compliance.

Assess business requirements supported by IT infrastructure (OS systems, applications, interfaces, network, security, and database) around Sweets (construction info application), Dodge (construction info application), Business Week, Aviation Week, Broadcasting group, Platts (energy portal), and royalty programs.

Perform IT Audits on data center, offsite storage, order entries, pricing, contracts management, billing, electronic approvals and applications such as Horizon, ADMARC (mainframe application), EMIS (web base application), and Oracle ERP, and its associated business processes and controls.

Philip Morris Management March 2002 – July 2003

Senior Corporate Auditor, Information Systems

Perform IT Audits for post implementation SAP deployment. Audited areas such as deployment process for large number (1000+) SAP clients, data center to house the SAP instance/database, security, and disaster recovery, testing controls that built into the process and configuration.

Lucent Technologies April 1997 – October 2001

Senior IT Auditor, Project Manager

Perform project and quality management and system audit for Global SAP IT deployment. And PacketStar IP Service Platform (PIPSP) and Year 2000 impact/solution team.

Perform as a customer technical support engineer for Optical Network Management Products.

Weekend Warrior as an IT auditor instructor (CISA)

ISACA NJ (New Jersey)CISA instructor) October 2007 – Oct 2017

Xincon Training School (New Jersey - IT instructor) March 2006 – July 2012

Compu21 Training School (New York City - IT instructor) March 2006 – July 2012

Avtech Institute of Technology (New Jersey - IT instructor) March 2005 – June 2009

Education & Certifications

Internal Security Assessor (ISA)

Certified Information System Auditor (CISA) certificate number 0544346

ISO 9000-3 TickIT Lead Auditor Certificate No: 0904M031696/4 Registration No: A4728

Stevens Institute of Technology June 2000

Masters, Certificate for Project Management

Cheng Hsiu University, Taiwan

BSEE

Contact this candidate